Security Issues

Any network with Internet access exposes the network to some security risks. In addition, some Solaris for ISPs features introduce others. In every case, there are several security measures that can be implemented to protect your network. The following sections discuss some good system administration practices and Solaris for ISPs features that will enable you to secure your network from these risks.

Standard Internet Security Risks

Connecting the network to other networks on the Internet exposes your network to potential service interruptions, unauthorized intrusion, and considerable damage. This section discusses such standard network security risks that you must be aware of. Protections against these risks are discussed in "How To Tighten Security".

• Denial of Service Attacks: These attacks disable the system from serving customers and make a service unavailable for the customer. For example, the attacks can flood the network with useless traffic resulting in inability to serve customers. Most often, such attacks could crash the system or just make the system really slow in serving customers.

• Buffer Overrun Exploits: These include exploiting the software weakness to add arbitrary data into a program, which when run as root, may give the exploiter root access to your system. This may also result in a denial of service attack.

• Snooping and Replay Attacks: The snooping attacks involve an intruder listening to traffic between two machines on your network. The traffic may include passing unencrypted passwords back and forth while using telnet, rlogin, or ftp. This might result in an unauthorized individual breaking into your network or reading confidential data.

• IP Spoofing: Attacks based on IP spoofing involve unauthorized access to computers. The intruder listening to your network traffic finds an IP address of a trusted host, and sends messages indicating that the message is coming from that trusted host.

• Internal Exposure: Most network break-ins are the result of a malicious or disgruntled present or former employee misusing access to information or breaking into your network.

Security Risks in Solaris for ISPs

This section discusses some Solaris for ISPs features that leave the software open to some security risks. Please refer to "How To Tighten Security" for protection against these risks.

• Administration Products: Solaris for ISPs administration products for individual services, such as ftp or news, provides new paths for accessing privileged operations. This intruder, by knowing, guessing, or cracking the password of the administrator, may change the behavior of the services by exploiting their administrator interface through the network. However, Sunscreen^TM SKIP, bundled with Solaris for ISPs, authenticates incoming traffic and ensures that outgoing data is not viewed by others while in transit.

• Remote Command Execution Mechanism: Sun Internet Administrator provides access to all of the command-line administration commands through its administrator console remote execution mechanism. An intruder may break this mechanism and gain access to those commands. However, access to these commands can be restricted, by root, to registered system administrators only.

• Sun Directory Services: This Solaris for ISPs software can be used to store and manage passwords and information about other Solaris for ISPs extensions and services. An intruder may break in and exploit access to such privileged information. However, most passwords in Sun Directory Services are encrypted. Unencrypted passwords in Sun Directory Services require root access.

How To Tighten Security

To protect your system from unauthorized users accessing, corrupting, or changing information, and to make the network available to authorized users:

• Regularly change passwords and encourage using not-easy-to-guess passwords. Solaris for ISPs software forces all passwords to change periodically if local files are used for password management.

• Use public-key cryptography to encrypt all traffic between trusted hosts at the IP level. SKIP, bundled with Solaris for ISPs, authenticates incoming IP traffic and ensures that outgoing data is not altered or viewed by others while in transit.

• Use routers that can identify trusted hosts and block spoofed IP addresses.

• Fix vulnerabilities and bulletproof your software.

• Disable unwanted services that open your network to security risks. Solaris for ISPs host configuration software, as part of the initial installation process, can disable some 'r' commands to ensure protection for passwords and to restrict access to hosts for unauthorized individuals.

• Provide employees access only to the data or information their work requires.

• Implement security mechanisms such as network monitoring and firewalls.